SOUTH-EAST Asia’s data protection regulation landscape has witnessed significant activity in the past two years, including the enactment of new personal data protection laws in Vietnam and Indonesia, and the enforcement of the Asean Model Contractual Clauses (MCCs). For businesses, this means navigating an ever more complex and diverse regulatory terrain on personal data, constraining the region’s digital economy growth potential.

Existing regional efforts like the MCCs and trade agreements, however, are insufficient in harmonising national regulations, thereby failing to foster a business-friendly regional data landscape.

The significant disparities in personal data protection regulations across Asean countries create formidable barriers for businesses. Besides legal frameworks being at various stages of development, the content of data protection laws also differs significantly due to widely different national interests. At the most liberal end, the Philippines takes a very business-oriented approach with minimal cross-border data transfer restrictions, while Vietnam, on the other end of the spectrum, heavily emphasises national security and requires extensive data localisation.